Authorization Bypass Vulnerability in Concrete CMS Calendar Block
CVE-2026-8205

6.3MEDIUM

Key Information:

Vendor

Concrete Cms

Status
Concrete Cms
Vendor
CVE Published:
21 May 2026

What is CVE-2026-8205?

The Concrete CMS versions up to 9.5.0 are susceptible to an authorization bypass in the Calendar Block. This vulnerability arises due to the action_get_events method failing to validate user permissions through the canView check, allowing unauthorized users to access restricted event details. Organizations using versions affected should promptly evaluate their systems and apply available updates to mitigate this security risk.

Affected Version(s)

Concrete CMS 5.0 <= 9.5.0

References

https://documentation.concretecms.org/9-x/developers/intr...
release-notes

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

lalalala5678
.